If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Threaded View

Practical Guide to Alternative Data Streams in NTFS

Practical Guide to Alternative Data Streams in NTFS

Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. While this is the intended use (as well as a few Windows internal functions) there or other uses for Alternative Data Streams that should concern system administrators and security professionals. Using Alternative Data Streams a user can easily hide files that can go undetected unless closely inspection. This tutorial will give basic information on how to manipulate and detect Alternative Data Streams.

(Note about conventions: Alternative Data Streams are also sometimes referred to as Alternate Data Streams or ADS. Since Alternative Data Streams is so long, an ADS can be confused with Active Directory Services I will simple call this feature AltDS for short.)

Creating an AltDS

Making an AltDS is fairly simple. I will use command line examples, feel free to follow along. We could hide some data in an AltDS behind an already existing file, but for this example we will create a new base file to hide behind:

Since the “type” command does not understand the colon operator we will have to use notepad to read the file:

Code:

C:\&gt;notepad sample.txt:secret.txt

If all worked well, you should not see a notepad window with the text “You can't see me” in it. Also notice that while the amount of total hard drive space free went down the file size of sample.txt did not increase:

Hopefully you now see a notepad window with hide.txt’s contents. If all one could do with AltDS was hide text files it would not be that impressive, but there’s much more that can be done with this useful NTFS feature.

Hiding and running an executable.

As it turns out, using AltDS to hide executables is not much harder than it is to hide text files. AltDS makes for a great way for malware to hide itself on a system. Here’s an example of how and executable can be hidden behind another file:

First we make our file to hide behind:

Code:

C:\WINDOWS&gt;echo Test&gt;test.txt

Next we put an EXE behind is, I'm just using notepad.exe because it’s convenient:

Code:

C:\WINDOWS&gt;type notepad.exe&gt;test.txt:note.exe

Next we confirm the contents of the text file when some one tries to open it.

Code:

C:\WINDOWS&gt;type test.txt
Test

Now we will confirm the file size, notice that adding notepad.exe as a steam did not increase the size of test.txt.

Now we will attempt to run our hidden exe. Notice the “.\” in front of the file name, this is necessary because the “start” command needs to know the correct path to the file (at least if you are using XP).

Code:

C:\WINDOWS&gt;start .\test.txt:note.exe
C:\WINDOWS&gt;

If all worked well there should now be a notepad window up on your system. You should be able to hide just about any other EXE file this way if you wish.

IIS and Alternative Data Streams

While I was a Taco Bell recently I was thinking about what I could do in this tutorial that would make it a little different from other essays on Alternative Data Streams, which brought to mind a question: Does Microsoft’s Internet Information Server work with Alternative Data Streams? As it happens, it does (at least IIS 6 at the time of this writing). I did the following commands to test it out:

Code:

W:\&gt;echo the text file&gt;t.txt
W:\&gt;type xx.php &gt;t.txt:x.php

xx.php being an php file with the following code:

Code:

&lt;HTML&gt;
&lt;BODY&gt;
&lt;PRE&gt;
&lt;?
echo "If I see this I know it worked"
?&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;

If you are following along try and see if you can read the text file off your server. If you don’t have an IIS server just look at the file on my student site (assuming the link is not dead by the time you read this tutorial).http://homepages.ius.edu/adrian/t.txt

That worked as expected. Next try to see if IIS parses out the colon and then interprets the PHP file in the Alternative Data Stream:

What do you know, it works! I could think of a few things that users might want hide it a web pages like this (moves, porn, scripts and such).

Hiding Videos

One can also hide videos in Alternative Data Streams, but depending on how you put them in the streams they can be hard to play. For my examples I will use a video with spaces in the name just to complicate maters and show that it can be done. First let us create an AltDS behind the sample.txt file we made earlier, notice the use of quotation marks to compensate for the spaces in the file names:

Give the above command some time, subjectively it seems that AltDS is a little slow to work its’ magic. After the above command finishes we will attempt to open the video stream, I’ll use Windows Media Player in my example since most of you should have it on your box and I know it works with AltDS:

Since support for AltDS is hit and miss in Windows we need to get an extra tool to suck data back out of an AltDS and put it back in a regular file. For this we will use a Windows port of the *nix tool “cat” (download it and other tools from http://unxutils.sourceforge.net/ ). Retrieving the original file is simple:

If all works well "Naughty Linux Women.avi" should contain all the original data of the video we put into the stream.

Finding AltDS

Some anti-malware tools understand how to search Alternate Data Streams for malware. I know Adaware SE Buld 1.05 can recognize know spyware in AltDSes (See http://www.lavasoftsupport.com/index...howtopic=40692 for more details). I’ve had a devil of a time finding out if other tools like Spybot or Symantec Antivirus look at AltDS, the vendors website give little information on it. If you know email me and I will update this tutorial.

Now I will show you a few tools you can use to find Alternate Data Streams. First there’s LADS by Frank Heyne (see the tools section at the bottom of this tutorial for where to download LADS and other apps). LADS seems to work quite well for finding the streams we created above:

I had to truncate the results above to save space, since Streams is doing a search of the whole C: drive. Streams also has the parameter “-d” to delete streams, but I don’t recommend that you use it unless you are sure of what you are doing.

For you folks that like to stick to GUIs there are three tools you might want to check out: ADS Spy which is quite slick, Crucial ADS which is also nice and ADS Detector which acts kind of like a plug-in for Explorer that lets you see Alternate Data Streams (unfortunately you have to sign up to download it, and so far I can’t seem to get it to work on my XP box). You can find links to all these tools at the bottom of this tutorial.

Quick answers and Factoids about AltDS

How do I delete AltDSes from a file?
Well, if you delete the file it’s attached to you will delete the AltDS, but I’m imaging you want to leave the base file intact. You can use a tool like Streams (see above) to delete the Alternative Data Streams, or you can rename the file and then use the “type” command to pipe it back to the original file name. Example:

A third option is to just move the files you want to remove streams from to a Fat32 drive then move them back to the original drive. You will get a windows that pops up that asks you to confirm stream lost, just click yes.

I see a stream called “AFP_AfpInfo” on a lot of my file, should I worry?

Most likely it’s ok, this is usually an Apple file system fork like I mentioned at the beginning of this tutorial. AFP stands for Apple Filing Protocol, this stream should contain information like the icon a Mac would use to show the file. The AFP_AfpInfo stream may have been put there when the file was touched by a Macintosh or if the Windows box it was copied from had Services For Macintosh enabled. It’s possible that a deviant user could name one of their streams AFP_AfpInfo to try and hide it, but it’s not likely because using this name could make in not work as expected when they try to run or open it.

I see a stream called “encryptable” on my Thumb.db files, should I worry?

This is expected behavior for Window, Thum.db hold thumbnails for folders when you choose the thumbnail view in explorer. It’s ok, but if the size of the encryptable stream is over 0 bytes you might want to take a look at it. Same warnings as AFP_AfpInfo apply.

Ok, what about streams called “SummaryInformation”, should I worry?

This is also expected behavior for Window. Windows sometimes stores text information like titles, keywords, and revision numbers here. Same warnings as AFP_AfpInfo apply.

Do streams survive being copied across the network or from one hard drive to another?

Yes, as long as both file system are NTFS. If the destination is Fat32 the steams will be lost.

I hope this tutorial helped you to better understand Alternative Data Streams. Please feel free to email me if you have questions, clarifications or more information.